Technology, media and telecommunications law update – June 2016

Key developments during June 2016 in the area of Technology, Media and Telecommunications (TMT) are summarised as follows.

Pecuniary Penalties Imposed for Misleading Advertising
The Federal Court has imposed a penalty of $1.5 million on an Australian sports bet company, and a penalty of $1.25 million on a related UK corporation, for publishing a misleading advertisement in connection with the supply of betting services: Australian Competition and Consumer Commission v Hillside (Australia New Media) Pty Ltd t/a Bet365 (No 2) [2016] FCA 698. The companies had advertised “$200 free bets for new customers” which implied that free bets were available without limitation or restriction when in fact a number of limitations and conditions applied. The court declined to grant an injunction in addition to the financial penalties, observing that this would have served no purpose as there was material likelihood of future repetition.

Privacy breach involving disclosure of information to spouse
On 27 June 2016, the Privacy Commissioner found that an insurer breached the complainant’s privacy by disclosing the complainant’s insurance records to his spouse and daughter: “IQ” and NRMA Insurance, Insurance Australia Ltd [2016] AlCmr 36. The complainant’s spouse attended the insurer’s office to enquire about compulsory third party insurance and comprehensive motor insurance for her car and, in advising the spouse that she would be offered the same no claim bonus as the complainant, turned the computer monitor to the spouse to reveal the complainant’s personal information. The Privacy Commissioner held that the insurer had breached National Privacy Principle 2.1 (the equivalent of the current Australian Privacy Principle 6.1) by using the complainant’s personal information in a manner which the complainant would not have reasonably expected. The insurer was required to issue an apology, pay the complainant $2,000.00 and review its staff training procedures.

Privacy breach caused by disclosure of personal information by insurer to joint policy holder
On 27 June 2016, the Privacy Commissioner held that an insurer breached an individual’s privacy by disclosing particulars of policies which she jointly held with her husband to another individual with whom she held joint policies: ‘IR’ and NRMA Insurance, Insurance Australia Ltd [2016] AlCmr 37. The disclosure occurred because the insurer’s policy list, which it used to determine a policy holder’s loyalty discount, contained an itemisation of all the complainant’s assets insured with NRMA. When one joint policy holder received the list, they would become aware of assets in respect of which they did not have an insured interest. The Privacy Commissioner held that the disclosure amounted to an infringement of Australian Privacy Principle 6 (disclosure for an unauthorised purpose) and APP 11 (failing to take reasonable steps to protect information from unauthorised disclosure). The insurer was ordered to issue an apology, pay compensation of $3,000.00 and to review its practice in relation to disclosure of policy information.

Information Security Manual released by Commonwealth government
The Manual was released on 7 June 2016 by the Australian Signals Directorate. The objective is to combat the effects of malicious software (malware) in the context of national security threats and in the context of the broader ramifications of stolen information. The principles aim to provide agencies with detailed security measures that can be implemented to mitigate risks to their information and include, amongst others, principles dealing with outsourced general information technology services, outsourced cloud services, system accreditation, information security monitoring, communications systems and devices, media security, software security, email security, access control and cryptography.

Proposed amendments to Victorian Privacy Legislation
The Freedom of Information Amendment (Office of the Victorian Information Commissioner) Bill 2016 (Vic) was introduced on 23 June 2016. The purpose of the Bill is, in addition to amending the Freedom of Information Act 1982, to establish the office of the Victorian Information Commissioner. A new Part 1A will address the functions and powers of the Information Commissioner together with the appointment of the Privacy and Data Protection Deputy Commissioner.

NSW Government Office Automation Standard
On 8 June 2016, the NSW government issued a technical standard developed by the NSW ICT Procurement and Technical Standards Working Group setting out technical and functional requirements that agencies should consider when commissioning office automation. The scope of the standard incorporates office productivity, messaging, collaboration and unified communications. The objective is to make office procurement more efficient and more strategic, setting out issues which need to be considered so that each agency can identify available options which best suit their business requirements. The standard sets out service definitions as the minimum requirements which vendors must meet in order to offer services through the NSW ICT Services Catalogue. It is intended that the standards will “help to reduce red tape and duplication of effort by allowing suppliers to submit service details only once against the standards”.

Productivity Research Paper on ‘Digital Disruption’
In June 2016, the Productivity Commission released a paper entitled Digital Disruption: What do governments need to do? The paper reviewed and interpreted expert opinion on disruptive digital technologies with the objective of informing governments about the policy tasks confronting them. It was observed that advances in computing power, connectivity, mobility and data storage capacity offered opportunities for higher productivity growth and improvements in living standards, but at the same time posed risks of higher inequality and dislocation of labour and capital. From a legal perspective, the paper emphasised that digital technologies allowed for more pervasive collection of data on individuals and this in turn required a consideration of laws relevant to privacy, the unlawful use of information and the integrity of digital networks. The paper observed that “the case for government action in these areas relies on ensuring that the likely benefits of any restrictions outweigh the costs of restrictions to the community”.

Health records amendment in South Australia
The Health Care (Privacy and Confidentiality) Amendment Bill 2016 (SA) was introduced into the South Australian Parliament on 8 June 2016. Unlike some other jurisdictions, South Australia does not have specific health records legislation but the confidentiality of health information is addressed in its Health Care Act 2008. The new Bill amends the Health Care Act by extending restrictions on “disclosure” of personal information in section 93 to embrace both “use” and “disclosure”, and by introducing a new section 94 which specifically prohibits the unauthorised accessing of health records by health employees other than in the course of performance of their official functions and duties.

Health Records Proceedings in Victoria
The applicant brought proceedings under the Health Records Act 2001 against the Department of Education and Training in relation to the alleged mishandling of a file note by the principal at a school at which the applicant taught. The Department claimed legal professional privilege in respect of the file note on the basis that it recorded a conversation between the principal and the Department’s in-house lawyer. The Victorian Civil and Administrative Tribunal determined that whilst legal professional privilege applied to the file note, the Department had waived the privilege by disclosing the file note in the course of a WorkCover claim brought by the applicant. The Tribunal took account of the fact that prevention of the disclosure of the material would have the effect of reducing the applicant’s capacity to have the whole of her claims heard and determined: Harrison v Department of Education and Training (Human Rights) [2016] VCAT 913.

AMA Position Statement on e-Health Records
The Federal Government’s My Health Records System, which in 2015 replaced the previous government’s Personally Controlled Electronic Heath Records System, enables the sharing of electronic health records between medical practitioners. Privacy controls set out in the My Health Records Act 2012 provide patients with the ability to block or modify access to critical information such as medications, allergies and diagnostic test results. A position paper entitled Shared Electronic Medical Records 2016 issued by the Australian Medical Association on 16 June 2016, expresses concern that, as a result, doctors cannot be confident that the electronic records contain all relevant information and accordingly the records must be regarded with “clinical suspicion” and, rather than being relied upon, “should be viewed as extra and bonus clinical information about the patient”.

Improper disclosure of information by a medical practitioner
On 27 June 2016, the Privacy Commissioner held that a medical practitioner infringed a patient’s privacy by circulating details of his medical condition to third parties in the mistaken belief that he was entitled to do so: ‘IV’ and ‘IW’ [2016] AlCmr 41. The complainant had sent an email to the respondent, his medical practitioner, and six third party recipients requesting a response to questions of a religious nature. The respondent responded to the patient and the third parties and, in doing so, made reference to his treatment of the complainant’s delusional depression. The Privacy Commissioner concluded that the disclosure constituted a breach of Australian Privacy Principle 6.1(a) on the grounds that a disclosure of personal information had been made without the individual’s consent, rejecting the respondent’s assertion that consent should be implied from the complainant’s email. The Privacy Commissioner considered that whilst the third parties could be included in a theological discussion, this did not extend to disclosure of the respondent’s medical condition. The Privacy Commissioner also found that the respondent had breached APP 10.2 by using personal information which was not relevant to the purpose for which it had been disclosed originally by the complainant. The respondent was ordered to pay the complainant $10,000.00 in compensation.